During Monday's CSI/SX Web 2.0 Security Summit our panel moderator Jeremiah Grossman said something that resonated with me. Just as I was talking through my slides and verbalizing my confusion with Google Chrome's "Task Manager", he asked if Chrome is less browser and more platform... interesting question!
Interestingly enough as I sent this to a colleage, Tyler Reguly, he pointed out that this topic had been talked about significantly before - without really very many answers... and certainly not well-conversed in security circles.
What's Google's intent here, one may ask? While I can't speak for Google or the Chrome development team I can speculate that it appears as though there is some greater purpose for Chrome in the maybe not-too-distant future.
Allow me to draw a parallel with something most of you will be familiar with - Microsoft NT v4.0. Before you start laughing consider this - the same way that Windows NT4 was sold as "stable"... Chrome is being sold now (see explanation here.) If one of the Chrome tabs or windows becomes compromised, it is still process-isolated from the other tabs/windows and can be closed without impact to them. Interestingly enough, if I recall correctly Microsoft's literature read almost verbatim.
What I want to know is... have browser makers crossed over that threshold from simple "web code sandbox" into something more? Are browser makers now starting to see the browser as a platform, onto which other features will be built? This seems rather logical given the fact that browers have become so complex that they are in themselves a layer of abstraction, between the portable code off the web and the machine they run on. I mean, look at FireFox! FireFox has a rich plug-in architecture that allows development of programs on top of FireFox. The problem with that architecture is that the plug-ins and the core browser functionality are not logically separate, which leads to a massive new attack surface and a condition where a single mischievous plug-in can completely compromise the security of the web application and the user, but I digress.
The question is - does having a feature like a task manager make Google Chrome something more than a simple web browser? Does having features that resemble operating system features from back when operating systems were maturing necessitate a new label... or am I simply over-thinking this "feature"?
Let's hear what you think.